Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday March 10 2019, @10:57PM   Printer-friendly
from the get-off-my-lawn dept.

Professor Eugene Spafford at Purdue University, the father of the field of Internet security, has some takes on this year's RSA conference:

I have now attended 13 of the last 18 RSA Conferences (see some of my comments for 2016, 2015, and 2014). Before there were RSA conferences, there were the Joint National Computer Security Conferences, and I went to those, too. I’ve been going to these conferences for about 30 years now.

[...] I am giving serious thought to this being my last RSA Conference — the expense is getting to be too great for value received. The years have accumulated and I find myself increasingly out of step here. I want to do what is right — safe, secure, ensuring privacy — but so much of this industry is built around the idea that “right” means creating a startup and retiring rich in 5 years after an M&A event. I don’t believe that having piles of money is how to measure what is right. I will never retire rich; actually, because I will never be rich, I probably can’t afford to retire! I am also saddened by the lack of even basic awareness of what so many people worked so hard to accomplish as foundations for others to build on. We have a rich history as a field, and a great deal of knowledge. It is sad to see that so much of it is forgotten and ignored.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Insightful) by Anonymous Coward on Sunday March 10 2019, @11:51PM (2 children)

    by Anonymous Coward on Sunday March 10 2019, @11:51PM (#812471)

    "I saw a few vendors who effectively claimed they supported customers keeping longer audit logs that could be examined to find evidence once a breach was discovered. Think about that — the assumption is that assembled products can’t protect an enterprise well enough, or respond quickly, so that a months-long record is needed to find out when and why the failure occurred. Furthermore, that idea is normalized enough that there are companies that can sell products & services around it. Crazy."

    I was starting to hear "Assume breach" as a maxim a decade ago at least.

    Starting Score:    0  points
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  

    Total Score:   1  
  • (Score: 2) by krishnoid on Monday March 11 2019, @12:11AM (1 child)

    by krishnoid (1156) on Monday March 11 2019, @12:11AM (#812478)

    The threats contained in those environments would not be simple ones. Harsh weather and natural disasters either kill you or they don't, and once conquered—or adapted to— they lose their relevance. No, the only environmental factors that continued to matter were those that fought back, that countered new strategies with newer ones, that forced their enemies to scale ever-greater heights just to stay alive. Ultimately, the only enemy that mattered was an intelligent one. -- Blindsight, Peter Watts

    Security is one of the areas where the state of the art is always in flux, and the only one where you're actively defending against (no offensive ventures allowed, remember?) a continuously adapting enemy. Assembled, protect, enterprise, 'well enough', failure -- when you're a big target and are fighting off attackers, the definition of these terms and how well your assailants hide evidence is continuously changing to avoid your detection efforts.

    if he had the money to retire and spent his time lobbying the government to require that companies carry cybersecurity breach insurance to do business with the government, we'd start seeing actuarial tables, insurance products, and this whole landscape change in a year.

    • (Score: 2) by MostCynical on Monday March 11 2019, @02:38AM

      by MostCynical (2589) on Monday March 11 2019, @02:38AM (#812521) Journal

      Companies aldready manage risk: if "cost of dealing with potential threat is greater than $0, or, will delay launch/VC meeting by more than 1 hour, do it "later" (and don't add it to any documentation)"

      --
      "I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex